With General Data Protection Regulation (GDPR) fully enacted and enforceable as of May 25, 2018, many healthcare organizations (HCOs) in the United States are working to determine whether they need to be GDPR compliant. It's left many asking the question: Is Health Insurance Portability and Accountability Act (HIPAA) compliance is enough?
HCOs are no stranger to compliance requirements, as following HIPAA regulations has been mandatory since 1996. However, many HCOs are unaware of the need for, and unprepared to be GDPR compliant. How do the two compare and which HCOs need to follow GDPR? As a general rule, HCOs with locations in EU member states or those that collect any sort of data from EU citizens are subject to GDPR. This includes online marketing of healthcare services to all EU citizens.
Similar But Not the Same
HIPAA and GDPR have requirements overlaps but aren’t anywhere near identical. To begin, GDPR has a broader scope, relating to all sensitive personal data, whereas HIPAA applies to health information. In addition, the personal data specified by the GDPR has a broader reach, including ethnic origin or race, religious beliefs, union memberships, biometric and genetic data, sexual orientation, political affiliation, as well as any health-related data.
HIPAA, by contrast, specifies only name, birth date, address, Social Security number, facial photo, insurance information, and financial information. The main difference is that HIPAA applies to only covered entities and their business associates, whereas GDPR, as mentioned earlier, applies to any entity collecting, handling, and storing EU citizens’ sensitive personal data.
Are U.S. HCOs Ready for GDPR?
With HIPAA, some health care entities’ processes go way beyond compliance while others struggle to meet requirements. Industry experts expect the same will be the case with GDPR. With the steep fines associated with GDPR noncompliance, smart HCOs will invest in audit services that help identify compliance deficiencies for all industry and government regulations to which they are subject; and, then get to work addressing those shortcomings.